This section describes the requirements that the RSA NetWitness services must meet.
Check that the following conditions are met:
virusnameThis and other metafields (except for msg) must have the IndexValues level. Also, set the defaultAction value of these metafields to Open.
user.srcip.srcactionmsgThis metafield must have the IndexKeys (the presence of the metafield in an event is indexed) or IndexNone (the metafield is not indexed) level in the index-concentrator-custom.xml file. If you set the IndexValues level for this metafield, the hard disk space will be consumed rapidly.
event.sourcedevice.ipip.dsturlchecksumIf any of these fields are absent from the index file, add them there and restart the Concentrator, as described in section "RSA NetWitness troubleshooting".
If you do not have a Concentrator but you use a Log Decoder for storing data from Feed Service, change the index-logdecoder-custom.xml file and restart the Log Decoder as described above.
Update only the index file of a Concentrator (index-concentrator-custom.xml) if the Concentrator receives data from a Log Decoder. For more information, refer to https://community.rsa.com/docs/DOC-41760. Also, update the index file of a Log Decoder (index-logdecoder-custom.xml) if you use the Log Decoder as the source of data in which you search for events or if you use the Log Decoder to create reports or dashboards.
virusnamec_usernamesaddrdaddrurlchecksummsgevent_sourcehostipactionThe value of the flags attribute must be None for each of these metafields.
If any of these fields are absent from the index files, refer to section "RSA NetWitness troubleshooting".
Detection events sent by Feed Service contain the context from the feeds in separate fields. You can display and use these fields in RSA NetWitness. (In RSA NetWitness, the names of these fields will have the kl. prefix.) For this purpose, use lines from the %service_dir%/integration/additional_elements/table-map-custom.xml and %service_dir%/integration/additional_elements/index-concentrator-custom.xml files.
<mapping envisionName="kl_detected_indicator" nwName="kl.detected" flags="None"/>
<mapping envisionName="kl_mask" nwName="kl.mask" flags="None"/>
<mapping envisionName="kl_ip" nwName="kl.ip" flags="None"/>
<mapping envisionName="kl_category" nwName="kl.category" flags="None"/>
<mapping envisionName="kl_first_seen" nwName="kl.first_seen" flags="None"/>
<mapping envisionName="kl_last_seen" nwName="kl.last_seen" flags="None"/>
<mapping envisionName="kl_popularity" nwName="kl.popularity" flags="None"/>
<mapping envisionName="kl_threat" nwName="kl.threat" flags="None"/>
<mapping envisionName="kl_industry" nwName="kl.industry" flags="None"/>
<mapping envisionName="kl_threat_score" nwName="kl.threat_score" flags="None"/>
<mapping envisionName="kl_file_size" nwName="kl.file_size" flags="None"/>
<mapping envisionName="kl_file_type" nwName="kl.file_type" flags="None"/>
<mapping envisionName="kl_behaviour" nwName="kl.behaviour" flags="None"/>
<mapping envisionName="kl_verdict" nwName="kl.verdict" flags="None"/>
<mapping envisionName="kl_pub_name" nwName="kl.pub_name" flags="None"/>
<mapping envisionName="kl_detection_date" nwName="kl.detect_date" flags="None"/>
<mapping envisionName="kl_md5" nwName="kl.md5" flags="None"/>
<mapping envisionName="kl_sha1" nwName="kl.sha1" flags="None"/>
<mapping envisionName="kl_sha2" nwName="kl.sha2" flags="None"/>
<mapping envisionName="kl_confidence" nwName="kl.confidence" flags="None"/>
<key description="kl_detected_indicator" format="Text" level="IndexKeys" name="kl.detected" defaultAction="Open"/>
<key description="kl_mask" format="Text" level="IndexKeys" name="kl.mask" defaultAction="Open"/>
<key description="kl_ip" format="IPv4" level="IndexKeys" name="kl.ip" defaultAction="Open"/>
<key description="kl_category" format="Text" level="IndexKeys" name="kl.category" defaultAction="Open"/>
<key description="kl_first_seen" format="Text" level="IndexKeys" name="kl.first_seen" defaultAction="Open"/>
<key description="kl_last_seen" format="Text" level="IndexKeys" name="kl.last_seen" defaultAction="Open"/>
<key description="kl_popularity" format="UInt8" level="IndexKeys" name="kl.popularity" defaultAction="Open"/>
<key description="kl_threat" format="Text" level="IndexKeys" name="kl.threat" defaultAction="Open"/>
<key description="kl_industry" format="Text" level="IndexKeys" name="kl.industry" defaultAction="Open"/>
<key description="kl_threat_score" format="UInt8" level="IndexKeys" name="kl.threat_score" defaultAction="Open"/>
<key description="kl_file_size" format="UInt16" level="IndexKeys" name="kl.file_size" defaultAction="Open"/>
<key description="kl_file_type" format="Text" level="IndexKeys" name="kl.file_type" defaultAction="Open"/>
<key description="kl_behaviour" format="Text" level="IndexKeys" name="kl.behaviour" defaultAction="Open"/>
<key description="kl_verdict" format="Text" level="IndexKeys" name="kl.verdict" defaultAction="Open"/>
<key description="kl_pub_name" format="Text" level="IndexKeys" name="kl.pub_name" defaultAction="Open"/>
<key description="kl_detection_date" format="Text" level="IndexKeys" name="kl.detect_date" defaultAction="Open"/>
<key description="kl_md5" format="Text" level="IndexKeys" name="kl.md5" defaultAction="Open"/>
<key description="kl_sha1" format="Text" level="IndexKeys" name="kl.sha1" defaultAction="Open"/>
<key description="kl_sha2" format="Text" level="IndexKeys" name="kl.sha2" defaultAction="Open"/>
<key description="kl_confidence" format="Text" level="IndexKeys" name="kl.confidence" defaultAction="Open"/>
You can specify all the settings described above by using the RSA NetWitness web user interface in the Services (Log Decoder and Concentrator) > Config view.
Restart the log decoder and Concentrator after you have edited the table-map-custom.xml and index-concentrator-custom.xml files.
Page top